Caleb Whorton
Portfolio Post

Initial Dev Tenant Setup

Before diving deeper into Intune and endpoint labs, I wanted to make sure the tenant had a sensible security baseline. Even a dev tenant should be treated seriously because it still contains real data.

Date

12 April 2026

Focus

Compliance policies, Conditional Access, Google Play Setup

Platforms

Windows, Android, Microsoft 365

Goal

Create a more secure default tenant baseline

Why this mattered: I wanted the tenant to behave more like a real environment. It's easy to forget security on a develpment/test tenant so I wanted to ensure this was all done.

Summary

Before moving further into labs, I wanted to improve the tenant’s baseline security. My personal environment includes Windows, Mac, and iOS, but for my dev tenant I bought a cheap Poco Phone to use as a device for MaM/MDM testing. I will be adding compliance polices and conditional access polices to enhance security as well as creating and adding a managed google play account for Andriod Management.

The goal here was to make sure the tenant was no longer running on overly relaxed defaults before I started adding more devices, policies, and test scenarios.

Objective

My objective was to create compliance policies for Windows and Android, connect Managed Google Play for Android Enterprise management, disable the setting that treats unmanaged devices as compliant, and replace security defaults with more targeted Conditional Access controls.

I also wanted to build an example Conditional Access policy that blocks sign-ins from outside the United Kingdom which to me is one of the best CA's we give to our clients.

What I configured

  • Disabled Mark devices with no compliance policy assigned as compliant, so unmanaged devices would immediately be treated as not compliant.
  • Connected Managed Google Play under Android enrolment to prepare the tenant for Android Enterprise management.
  • Disabled security defaults so more granular Conditional Access policies could be used instead.
  • Built Windows and Android compliance policies to set minimum security expectations for managed devices.
  • Created a Conditional Access location-based block policy for non-UK sign-ins.

Windows compliance policy

  • Platform: Windows 10 and later
  • Profile type: Windows 10/11 compliance policy
  • Name: CMW IT Windows Compliance Policy
  • Description: Default policy for standard CMW IT devices
  • Device health: Require BitLocker, Secure Boot, and Code Integrity
  • Device properties: Minimum OS version 10.0.26100 (Windows 11 24H2)
  • System security: Require password, block simple passwords, minimum length 8, password expiration 41 days, require encryption, require firewall, require TPM, require antivirus and antispyware

Android compliance policy

  • Platform: Android Enterprise
  • Profile: Personally-owned work profile
  • Name: CMW IT Android Compliance Policy
  • Description: Default policy for standard CMW IT Android devices
  • Device health: Block rooted devices, require Google Play Services to be configured
  • Device properties: Minimum OS version 12
  • System security: Block apps from unknown sources, enable Company Portal runtime integrity, block USB debugging, require password to unlock, password expiration 60 days, prevent reuse of last 3 passwords, require passcode after 5 minutes of inactivity, password complexity set to medium
  • Work profile: Mirrored the same password and security expectations for the work profile

Conditional Access approach

This policy was built as an example for a business operating in the United Kingdom. If travel or remote work outside the UK is needed, the relevant location can simply be added to the exclusions.

  • Policy name: All Staff - Country Block
  • Users: Include all users, with one admin account excluded
  • Target resources: All cloud apps
  • Network: Exclude United Kingdom
  • Device platform: Any device
  • Grant control: Block access

Alongside that, the tenant was configured so that devices without a compliance policy are immediately treated as not compliant. That creates a stronger default position for any new devices entering the environment. I also implemented require MFA for all admins and users (excluding a break glass account).

What I learned

Although I have done these tasks many times at work. This setup reinforced that initial tenant hardening matters. If the starting point is too relaxed, it opens doors.. Tightening the compliance defaults and using Conditional Access closes the door early on for potential security threats. Inital security tasks are often overseen for much larger tasks. If you are an MSP that has just inherited a tenant how do you know it's secure? how do you know the conditional access polices are working? It is always important to spend a hour or 2 reviewing these before bigger tasks.

This has helped me gain knowledge of how to add a Managed Google Play account to Intune wihich is useful for my MD-102

Screenshots

Click any screenshot to enlarge it.

Screenshot 1. Conditional Access What If tool showing the country block policy applying to the test scenario.
Screenshot 2. Built-in compliance setting changed so devices with no assigned compliance policy are marked as not compliant.
Screenshot 3. Managed Google Play connected for Android Enterprise enrolment and management.
Screenshot 4. Conditional Access policy configured to block access outside the United Kingdom.

Next steps

With the basics now tightened up, I can now move to other projects and focus on stricter security later on.

Back to portfolio Back to home